Re: [Pana] I-D Action: draft-yegin-pana-unspecified-addr-05.txt

Yasuyuki Tanaka <yatch@isl.rdc.toshiba.co.jp> Thu, 09 February 2012 11:46 UTC

Return-Path: <yatch@isl.rdc.toshiba.co.jp>
X-Original-To: pana@ietfa.amsl.com
Delivered-To: pana@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D3C7021F8702 for <pana@ietfa.amsl.com>; Thu, 9 Feb 2012 03:46:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.089
X-Spam-Level:
X-Spam-Status: No, score=-4.089 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_JP=1.244, HOST_EQ_JP=1.265, RCVD_IN_DNSWL_MED=-4, UNPARSEABLE_RELAY=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JHfFVFFE9heK for <pana@ietfa.amsl.com>; Thu, 9 Feb 2012 03:46:00 -0800 (PST)
Received: from imx2.toshiba.co.jp (inet-tsb5.toshiba.co.jp [202.33.96.24]) by ietfa.amsl.com (Postfix) with ESMTP id B3B2021F8514 for <pana@ietf.org>; Thu, 9 Feb 2012 03:45:59 -0800 (PST)
Received: from arc1.toshiba.co.jp ([133.199.194.235]) by imx2.toshiba.co.jp with ESMTP id q19BjwAM021072 for <pana@ietf.org>; Thu, 9 Feb 2012 20:45:58 +0900 (JST)
Received: (from root@localhost) by arc1.toshiba.co.jp id q19BjwDP023568 for pana@ietf.org; Thu, 9 Feb 2012 20:45:58 +0900 (JST)
Received: from unknown [133.199.192.144] by arc1.toshiba.co.jp with ESMTP id WAA23567; Thu, 9 Feb 2012 20:45:58 +0900
Received: from mx11.toshiba.co.jp (localhost [127.0.0.1]) by ovp2.toshiba.co.jp with ESMTP id q19Bjvf9013258 for <pana@ietf.org>; Thu, 9 Feb 2012 20:45:58 +0900 (JST)
Received: from spiffy21.isl.rdc.toshiba.co.jp by toshiba.co.jp id q19BjHn6019446; Thu, 9 Feb 2012 20:45:17 +0900 (JST)
Received: from [133.196.16.71] (ncg-dhcp71.isl.rdc.toshiba.co.jp [133.196.16.71]) by spiffy21.isl.rdc.toshiba.co.jp (Postfix) with ESMTPS id 9A7FF97CA6; Thu, 9 Feb 2012 20:45:57 +0900 (JST)
Message-ID: <4F33B1F5.2010607@isl.rdc.toshiba.co.jp>
Date: Thu, 09 Feb 2012 20:45:57 +0900
From: Yasuyuki Tanaka <yatch@isl.rdc.toshiba.co.jp>
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:9.0) Gecko/20111222 Thunderbird/9.0.1
MIME-Version: 1.0
To: Alper Yegin <alper.yegin@yegin.org>
References: <20111216133844.32034.20748.idtracker@ietfa.amsl.com> <35748338-4BE5-40AD-96C4-EAE501162372@yegin.org> <DB9259A8-E3E1-4A92-805D-1C8A21D03D44@um.es> <4025A151-3A1E-431F-8DB9-798EE717E2FA@yegin.org> <B0A66B63-E291-4704-9BE4-1B4345BC475C@um.es> <4F335D45.7040404@isl.rdc.toshiba.co.jp> <3882200C-6C19-4775-9BFA-E3ADC9CC2829@yegin.org>
In-Reply-To: <3882200C-6C19-4775-9BFA-E3ADC9CC2829@yegin.org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: pana@ietf.org
Subject: Re: [Pana] I-D Action: draft-yegin-pana-unspecified-addr-05.txt
X-BeenThere: pana@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Protocol for carrying Authentication for Network Access <pana.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pana>, <mailto:pana-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pana>
List-Post: <mailto:pana@ietf.org>
List-Help: <mailto:pana-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pana>, <mailto:pana-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Feb 2012 11:46:01 -0000

Hello,

 > The largest PANA message is possibly not the very first PAR
 > from the PAA (unlike the current draft states). Such a PAR can
 > be carrying a EAP-Request/Identity, hence not really be caring
 > a minimum EAP MTU size.  A subsequent PAR can be carrying
 > that (and it'd not have the Integrity-Algorithm, PRF-Algorithm,
 > and Token AVPs).
 >
 > Are you using the same reasoning for your above suggestion?
Yes. To shorten a PANA Message, we can send an EAP-Payload AVP in
another PANA Message.

Strictly speaking, RFC 5191 has no upper limit on the number of
PRF-Algorithm AVPs and Integrity-Algorithm AVPs which are
contained in a PAR. The size of a PANA message might be the
maximum size of the UDP data... Is this correct?

[Figure 4, RFC 5191]
    The table uses the following symbols:

    0     The AVP MUST NOT be present in the message.

    0-1   Zero or one instance of the AVP MAY be present in the message.
          It is considered an error if there is more than one instance of
          the AVP.

    1     One instance of the AVP MUST be present in the message.

    0+    Zero or more instances of the AVP MAY be present in the
          message.

                          +---------------------------+
                          |        Message Type       |
                          +---+---+---+---+---+---+---+
    Attribute Name        |PCI|PAR|PAN|PTR|PTA|PNR|PNA|
    ----------------------+---+---+---+---+---+---+---+
    AUTH                  | 0 |0-1|0-1|0-1|0-1|0-1|0-1|
    EAP-Payload           | 0 |0-1|0-1| 0 | 0 | 0 | 0 |
    Integrity-Algorithm   | 0 |0+ |0-1| 0 | 0 | 0 | 0 |
    Key-Id                | 0 |0-1|0-1| 0 | 0 | 0 | 0 |
    Nonce                 | 0 |0-1|0-1| 0 | 0 | 0 | 0 |
    PRF-Algorithm         | 0 |0+ |0-1| 0 | 0 | 0 | 0 |
    Result-Code           | 0 |0-1| 0 | 0 | 0 | 0 | 0 |
    Session-Lifetime      | 0 |0-1| 0 | 0 | 0 | 0 | 0 |
    Termination-Cause     | 0 | 0 | 0 | 1 | 0 | 0 | 0 |
    ----------------------+---+---+---+---+---+---+---+

    Figure 4: AVP Occurrence Table

Best,
Yasuyuki Tanaka

(2012/02/09 18:11), Alper Yegin wrote:
> Hello,
>
> Thank you for the review and feedback.
>
> On Feb 9, 2012, at 7:44 AM, Yasuyuki Tanaka wrote:
>
>> Hi all,
>>
>> I have four comments about the draft. I put them at the bottom of
>> this mail. Please see them.
>>
>> Best,
>> Yasuyuki Tanaka
>>
>> ---------------------------------------------------------------------
>>
>> (1) Page 4, Paragraph 1
>> It would be helpful to add text about the source port number and the
>> destination port number of the PCI as below.
>>
>> [edited]
>>   Step 1: The PaC initiates PANA by sending a broadcasted PCI carrying
>>   a Token AVP that contains a random value generated by the PaC.
>>
>> ! The source IPv4 address of the PCI is set to 0.0.0.0. The source
>> ! port number is chosen by the PaC. The destination IPv4 address is
>> ! set to 255.255.255.255. The destination port number is the PANA port
>> ! number (716).
>>
>> [original]
>>   Step 1: The PaC initiates PANA by sending a broadcasted PCI carrying
>>   a Token AVP that contains a random value generated by the PaC.
>>
>>   The source IPv4 address of the PCI is set to 0.0.0.0.  The
>>   destination IPv4 address is set to 255.255.255.255.
>>
>
>
> OK.
>
>> ---------------------------------------------------------------------
>>
>> (2) Figure 1, Page 4
>>
>> If the PAA want to initiate re-authentication, PAA have to know PaC's
>> IPv4 address which is configured by DHCP.
>>
>> It would be better that Figure 1 has messages related to "PaC Updating
>> Its IP Address" described in Section 5.6, RFC 5191.
>>
>> [Section 5.6. in RFC 5191]
>>   After the PaC has changed its IP address used for PANA, it MUST send
>>   any valid PANA message.  If the message that carries the new PaC IP
>>   address in the Source Address field of the IP header is valid, the
>>   PAA MUST update the PANA session with the new PaC address.  If there
>>   is an established PANA SA, the message MUST be protected with an
>>   AUTH AVP.
>
>
> Let us consider that.
>
>> ---------------------------------------------------------------------
>>
>> (3) Page 6, Paragraph 3
>>
>> I have no idea which PAR should have 'I' bit. Every PAR sent by
>> PAA should have 'I' bit? Or, only a PAR with 'C' bit should have
>> 'I' bit? (I think the latter is preferable.)
>>
>> I've referred to RFC 5191, but I've not found the answer.
>>
>
> I think this is an ambiguity with the RFC 5191. PAR with 'C' bit makes sense.
>
>
>> [original]
>>   The PAA SHALL set the 'I' (IP Reconfiguration) bit of PAR messages
>>   in authentication and authorization phase so that the PaC proceeds
>>   to IP address configuration.
>>
>> ---------------------------------------------------------------------
>>
>> (4) Page 6, Paragraph 7
>> I don't think that the description about the size of the largest PANA
>> is correct. This is because the initial PAR could have multiple
>> Integrity-Algorithm AVPs and PRF-Algorithm AVPs. This specification is
>> described in Section 4.1, RFC 5191.
>>
>> [Section 4.1. in RFC 5191]
>>    the PAA sends the initial PANA-Auth-Request carrying one or more
>>    PRF-Algorithm AVPs and one or more Integrity-Algorithm AVPs for the
>>    PRF and integrity algorithms supported by it, respectively.
>>
>> In my understanding, it is sufficient to consider a PANA Message which
>> has only one EAP-Payload AVP for "Message Size Considerations". In
>> other words, the minimum PANA MTU size is equivalent to the size of a
>> PANA message which has only one EAP-Payload AVP.
>>
>
>
> We are trying to find the the size of the largest PANA message.
> The largest PANA message is possibly not the very first PAR from the PAA (unlike the current draft states).
> Such a PAR can be carrying a EAP-Request/Identity, hence not really be caring a minimum EAP MTU size.
> A subsequent PAR can be carrying that (and it'd not have the Integrity-Algorithm, PRF-Algorithm, and Token AVPs).
>
> Are you using the same reasoning for your above suggestion?
>
> Alper
>
>
>
>> ---------------------------------------------------------------------
>>
>>
>> _______________________________________________
>> Pana mailing list
>> Pana@ietf.org
>> https://www.ietf.org/mailman/listinfo/pana
>